ecard changes its appearance and rootkit, again!
The ecard malware, also known as W32/Zhelatin worm, has changed its tactics again. Now, the mails are different from the old ones. These new mails come as a "membership confirmation mail" from web services like MP3 World or Dog Lovers club. An example is shown in below screenshot. It can be noticed that IP address is no longer visible in the mail:
And, as usual few malicious files will be dropped when that site is visited. However, the contents of the site is changed again. Here's the new one:
Another major change is in the rootkit that is dropped by the malware. This rootkit modifies the disk image of Null.sys file, which is a file required by Windows operating system. However, Windows File Protection (WPF) system catches this change as soon as the file is modified by rootkit, and pops up a warning:
And, this can also be verified by the sigverif tool bundled in Windows XP. Here's the scan result of sigverif tool:
Apart from these changes, the rootkit also hooks NtQueryDirectoryFile API's SSDT entry, in order to hide its files. More information about this rootkit can be found in this previous post.
If you are getting mails like the one given above, delete them and do NOT visit the links given in the mails!